Python has been a popular language among penetration testers from some time now and is used extensively here at RSM. Python version 3 has been out since December 2008 and yet many scripts currently being produced by the security community exclusively target version 2.7. Given that Python 2.7 is in maintenance mode only at this point, it's important for people to have the tools ... READ MORE
R&D
Organizing the Bad News – Auditing Passwords with Python
From time to time we find ourselves conducting a password audit for a client. While not terribly exciting from an attackers point of view, it is a necessary check to perform and can provide valuable output if the client is capable of acting on it. Many organizations also perform similar assessments internally. Typically the process looks something like this: 1. Obtain ... READ MORE
King Phisher 1.0 Released
Since it's inception almost two years ago King Phisher has changed the way we at RSM provide email based social engineering services to our clients. We have integrated it into our external penetration testing methodology as well as relied on it for dedicated social engineering assessments. At the time, other phishing projects did not have the flexibility to meet all of the ... READ MORE
Crontab One Time Payload Execution
Recently, I was writing an exploit for a vulnerability that I had discovered in a Linux based server application. The flaw, when successfully exploited, allowed a file to be written anywhere on the file system with the permissions of the user running the server. In the case of the application I was targeting, it was often executed as root in order to bind to a privileged port ... READ MORE
Spawning Meterpreter Over Bluetooth
The last post on Shells with Spencer presented code to spawn a shell with a full PTY with a Bluetooth RFCOMM socket for extended post exploitation access. This post will present an additional technique, this time for spawning a Metasploit Meterpreter session between two hosts using a Bluetooth RFCOMM socket. Specifically, in this Proof-of-Concept, a Meterpreter session will be ... READ MORE
Spawning Shells Over Bluetooth
Lately, unique remote access techniques have become more commonly discussed. Most are payloads that beacon over some protocol using space within it that might be re-used for nefarious purposes (think HTTP). Some others are ones that use more obscure protocols that may not rely on TCP/IP at all. These have the added advantage of being able to communication more quickly than some ... READ MORE
I Like Syscalls (And I Cannot Lie)
So with the release of Windows 10 I (like many before me) decided to look into what new syscalls have been added. Syscalls are the means by which code running in the context of a user can request the functionality provided by the kernel be executed. This includes many basic operations such as opening and reading from files. Collecting this information will allow us to identify ... READ MORE
Injecting Python Code Into Native Processes
There is quite a bit of material publicly available on DLL injection, the different techniques and how it works. Often times it's helpful for a researcher to be able to execute code within the context of a specific process, and DLL injection is an ideal way to accomplish this. By injecting a DLL into another process, that process can be "infected" allowing the injected DLL to ... READ MORE
King Phisher 0.2.1 Released
Yesterday, RSM released the latest version of their King Phisher phishing campaign toolkit. This version adds some exciting new features with a focus on usability. The message editor received some nice improvements, including syntax highlighting. The editor window now uses the GtkSourceView project to provide a more user friendly environment for writing and modifying ... READ MORE
MasterLock Combination Lock Vulnerabilty and Exploit
A couple of weeks ago, I came across an article from Samy Kamkar on how to successfully guess a combination for a standard MasterLock combination lock. It seemed pretty interesting so I gave it a try, and to my surprise it worked! However, a big downside was having to visit his website to run the algorithm in order to get the list of eight possible combinations. On a typical ... READ MORE